2.5.10 Ensure a Password is Required to Wake the Computer From Sleep or Screen Saver Is Enabled

Information

Sleep and screen saver modes are low power modes that reduce electrical consumption while the system is not in use.

Rationale:

Prompting for a password when waking from sleep or screen saver mode mitigates the threat of an unauthorized person gaining access to a system in the user's absence.

Impact:

Without a screen lock in place, anyone with physical access to the computer would be logged in and able to use the active user's session.

Solution

Graphical Method:
Perform the following steps to enable a password for unlock after a screen saver begins or after sleep:

Open System Preferences

Select Security & Privacy

Select General

Set Require password after or screensaver begins with a time of immediately or 5 seconds

Terminal Method:
Run the following command to require a password to unlock the computer after the screen saver engages or the computer sleeps:

$ /usr/bin/sudo /usr/sbin/sysadminctl -screenLock immediate -password <administrator password>

or

$ /usr/bin/sudo /usr/sbin/sysadminctl -screenLock 5 seconds -password <administrator password>

Profile Method:
Create or edit a configuration profile with the following information:

The PayloadType string is com.apple.screensaver

The key to include is askForPassword

The key must be set to <true/>

The key to also include is askForPasswordDelay

The key must be set to <integer><0,5></integer>

See Also

https://workbench.cisecurity.org/benchmarks/11683